Resolved

Found some documentation on Let's Encrypt (I really though the CA change would be handled automatically, apparently not)

What I did was grab the pem they have listed, create a new CA with the same name, paste the pem and save the new CA

The chain "Certificates" immediately changed to the new CA removing the count of 1 from the Sept 2024 soon to expire CA and assigning it to the new one (likely would have been fine to just replace the cert pem data in the original and update it.)

Screen Shot 2024-08-16 at 10.49.12 AM.png

@thezfunk

Your nearly done, I guess.
You saw it : https://github.com/acmesh-official/acme.sh/wiki/dnsapi#dns_namecheap
And of course the namecheap acme.sh documentation.

Fill in the domain name, like "pfsense.domain.tld" (you rent domain.tld - right).
The the API key
Get the user name.

My advice : set DNS Sleep to "120" seconds.
And you should be good.

For namecheap stories, use the forum search button, and search in the pfsense acme.sh sub forum.
Not this one, as for some reason you posted here but the question isn't "General" at all, and acme has its own forum dedicated to the acme.sh package - let me highlight it for you :

a77c8154-d11f-4a80-97da-41bbddf6913f-image.png

@Hyperion said in Where to DL acme cert manually?:

I have no internet connection on that Netgate and want to download

Download without an Internet connection ....

@Hyperion said in Where to DL acme cert manually?:

and install the packages manually.

Experts have tried this.
Guess they haven't a connection neither : they never came to post here on the forum about their finding.

The (FreeBSD) build in pkg, the packet manager, could be used to install FreeBSD packages, but pfSense package : you need the GUI. I hope to be wrong of course.

@Hyperion said in Where to DL acme cert manually?:

Does anyone know a URL source where I can download the needed certificates and install them manually via Terminal/Shell within pfSense

Can't you just connect to the GUI and install the cert ?
pfSense is GUI driven.

Hi, I went through several rounds of testing and I beleive that this is a bug somewhere in pfsense, stunnel.

Currrently:

The web interface of pfsense uses the sames cetificate without issues Stunnel with the same certificate fails on pfsense (Error resolving "r11.o.lencr.org": Address family for nodename not supported (EAI_ADDRFAMILY)) Installing stunnel 5.68 on a Debian 12.5 the same certificate (pem file compied from pfsense) works wihtout issues.

@bmarkel
This did help a little. After saving the changes and attempting to Issue/Renew again the screen refreshed with the ACME certbot messages giving me a partial error. Trying to simplify the issue I created a fresh certificate using Let's Encrypt Staging but the errors have been similar.

@aes4096 said in ACME IP address or domain:

I can use the DNS method or purchase a Wildcard certificate with subdomain protection, which is more expensive.

If you can use a DNS Method you can ask a wildcard certificate.
Letsencrypt will still be free of use.

If you own( = rent) a domain name, you control the domain. You are the only one being able to create sub domains.
I can proof that : try creating aes4096.microsoft.com : good luck ^^

@jcubillo

Oh ... great. I guess they want to stop being the registrar for 'everybody'.

@lucas1

You've locked yourself up in a corner.
For example : I don't recall how things were done several version ago, and I'm pretty sure very few will be able to do so.

You can't upgrade the acme package, as you can only install/upgrade pfSense packages if you use the latest pfSense version : that 2.7.2. pfSense 2.5.0 was from 2019 / 2020 ?

The thing is : Cloudflare can update (change) the way the DNS api works.
Accordingly, the acme.sh pfSense will get updated also ....

So, get the current pfSense version first. Install the latest acme pfSense package. Then try again.

@lucas1 said in Failure updating ACME certificate - 2:

Please check log file for more details: /tmp/acme/mydomain/acme_issuecert.log

You've checked ?

@MordyT said in ACME client can't check for DNS entries due to Error 60:

url='https://cloudflare-dns.com'

exist ??

Set DNS-Sleep to at least :

c4df8f8d-832c-486f-838b-61e5891e091b-image.png

@dmorda I also had problems renewing with Godaddy API and the only solution I found was moving to Cloudflare where renewals are working perfectly.

I think I had the same issue with ACME - LE and DA dns check. See this topic
This one was also solved with the update/reverted code.
Thank you for the quick fix release @jimp

Noticed there was a new version today 0.8_1 with changes reverted from 0.8 regarding failing challenge checks that were working previously.

Installed this update, changed the dns wait to 60 seconds again and tested the certificate renewal.
Worked like a charm again on the first try.

Thank you very much for this valuable information. Following these suggestions worked out well for me.

Regards.

@ak4 said in Possible ACME bug in 23.09.1:

ended up being related to pfBlocker

pfBlocker, by itself, when you install it, does 'nothing'.
I'll advise you strongly to fact check this and not just believe me ^^

So, yes, it's actually easy : you install 'some DNSBL' or IP list and suddenly you can't, from your LANs, reach some destinations on the internet.
And also the other way around : suddenly, you block sources that needs to contact your pfSense, like the Letenscrypt verification service, as you've picked a list that contains these sources (IP, etc).
I presume you manged to do just that.

Remember : you use these DNSBL lists and IP lists 'as is'. But shouldn't you check them before using them ?
It has happened : a list conatins all the Amazon WS IPs. Right after you use this list, suddenly, pfBlockerng can't update any list anymore, as most lists are hosted on Amazon WS.
Or : also pure fun : some IP list managed to include all RFC1918 and suddenly pfBlocker start to block all your LAN devices and it's "Internet & pfSense is broken again" time, or its actually the "the admin didn't do it's job" time.

What I normally do if I use a new list : I use this package :
371e39b4-7595-4edb-831e-8ce6f15e4b34-image.png

and I make notes, like : installed on 2024-04-04 IP list Xyz, and then I see what happens. if somethings strange happens, I undo what I've done last, and often the issue is solved. Then I go through the 'why' phase.

But before testing : don't you want de latest acme version (with the latest correction etc) ?

I'm using : 23.09.1 (actually 24.03-BETA since a week as it is rock solid) and :

1c15cdd0-5d1c-4542-a495-088e0328c77a-image.png

which came out .... weeks ago.
Why wait ?